[lug] Century Link and "DNSChanger"

Doug Pintar ratnip3 at gmail.com
Wed Jan 4 17:13:03 MST 2012


This hit me about 7-8 months ago.  I've got a Qwest custom-firmware Motorola 3347 modem/router on my DSL, and somebody hacked my DNS.  It didn't seem to direct me anyplace malicious, almost like they were just trying to find who I was looking up.  The IP addresses belonged to some site in Russia, and the only way I discovered it was that it couldn't find the Malwarebytes update server.  (I was doing a lot of PC software repair at the time.)  I tightened up the scecurity on the router, which the default installation instructions from Qwest leave wide open, and it hasn't recurred.
Doug PIntar
  ----- Original Message ----- 
  From: Bear Giles 
  To: Boulder (Colorado) Linux Users Group -- General Mailing List 
  Sent: Wednesday, January 04, 2012 12:40 PM
  Subject: Re: [lug] Century Link and "DNSChanger"


  I've read that some viruses are now targeting routers instead of the PCs behind them. It's exactly this attack - the rogue software redirects the DNS lookups so you get sent to fradulent sites for MITM attacks, click-capture, etc.


  Could this be what's happening here?


  On Wed, Jan 4, 2012 at 12:30 PM, William D. Knoche <bill.knoche at gmail.com> wrote:

    Is anyone else getting these from the abuse folks at CenturyLink?
    I do run my own dns server but I never see this address in any of my
    router logs, etc.
    What's going on?

    > CenturyLink is dedicated to protecting its customers' Internet experience
    > and works to notify users when their computer systems are infected. Our
    > Security Services organization has received notification from the Federal
    > Bureau of Investigation (FBI) about industry-wide malicious online traffic,
    > which we have identified as impacting this account. This means that your
    > computer or another computer on your network may be infected by malicious
    > software known as "DNSChanger."
    >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20120104/29a87551/attachment.html>


More information about the LUG mailing list